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Abstract. Desharnais, Gupta, Jagadeesan and Panangaden introduced a family of be- 
havioural pseudometrics for probabilistic transition systems. These pseudometrics are a 
quantitative analogue of probabilistic bisimilarity. Distance zero captures probabilistic 
bisimilarity. Each pseudometric has a discount factor, a real number in the interval (0, 1] . 
The smaller the discount factor, the more the future is discounted. If the discount factor is 
one, then the future is not discounted at all. Desharnais et al. showed that the behavioural 
distances can be calculated up to any desired degree of accuracy if the discount factor is 
smaller than one. In this paper, we show that the distances can also be approximated if the 
future is not discounted. A key ingredient of our algorithm is Tarski's decision procedure 
for the first order theory over real closed fields. By exploiting the Kantorovich-Rubinstein 
duality theorem we can restrict to the existential fragment for which more efficient decision 
procedures exist. 



For systems that contain quantitative information, like, for example, probabilities, time 
and costs, several behavioural pseudometrics (and closely related notions) have been intro- 
duced (see, for example, [QElIiniliaiiaiiaiiaEniEIllMlES])- In this paper, we focus on 
probabilistic transition systems, which are a variant of Markov chains. Desharnais, Gupta, 
Jagadeesan and Panangaden [18J introduced a family of behavioural pseudometrics for these 
systems. These pseudometrics assign a distance, a real number in the interval [0, 1], to each 
pair of states of the probabilistic transition system. The distance captures the behavioural 
similarity of the states. The smaller the distance, the more alike the states behave. The 
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distance is zero if and only if the states are probabilistic bisimilar, a behavioural equivalence 
introduced by Larsen and Skou [26] . 

The pseudometrics of Desharnais et al. are defined via real-valued interpretations of 
Larsen and Skou's probabilistic modal logic. Formulae assume truth values in the interval 
[0,1]. Conjunction and disjunction are interpreted using the lattice structure of the unit 
interval. The modality (a) is interpreted arithmetically by integration. The behavioural 
distance between states s\ and S2 is then defined as the supremum over all formulae ip of 
the difference in the truth value of ip in s\ and in S20 

The definition of the behavioural pseudometrics of Desharnais et al. is parametrized by 
a discount factor 5, a real number in the interval (0, 1]. The smaller the discount factor, 
the more (behavioural differences in) the future are discounted. In the case that S equals 
one, the future is not discounted. All differences in behaviour, whether in the near or far 
future, contribute alike to the distance. For systems that (in principle) run forever, we may 
be interested in all these differences and, hence, in the pseudometric that does not discount 
the future. 

In [16] . Desharnais et al. presented an algorithm to approximate the behavioural dis- 
tances for 5 smaller than one. The first and third author [7] presented also an approximation 
algorithm for 5 smaller than one. 

There is a fundamental difference between pseudometrics that discount the future and 
the one that does not. This is, for example, reflected by the fact that all pseudometrics that 
discount the future give rise to the same topology, whereas the pseudometric that does not 
discount the future gives rise to a different topology (see, for example, [18] page 350]). As a 
consequence, it may not be surprising that neither approximation algorithm mentioned in 
the previous paragraph can be modified in an obvious way to handle the case that 5 equals 
one. 

The main contribution of this paper is an algorithm that approximates behavioural 
distances in case the discount factor 5 equals one. Starting from the logical definition of 
the pseudometric by Desharnais et al. , we first give a characterisation of the pseudometric 
as the greatest (post-)fixed point of a functional on a complete lattice [0, 1] , where S is 
the set of states of the probabilistic transition system in question. This functional is closely 
related to the Kantorovich metric [2jj on probability measures. Next, we dualize this 
characterization exploiting the Kantorovich-Rubinstein duality theorem [25] . Subsequently, 
we show, exploiting the dual characterization, that a pseudometric being a post-fixed point 
can be expressed in the existential fragment of the first order theory over real closed fields. 
Based on the fact that this first order theory is decidable, a result due to Tarski [31], we 
show how to approximate the behavioural distances. Finally, we discuss an implementation 
of our algorithm in Mathematica. 

Exploiting the techniques put forward in this paper, we have also developed an algo- 
rithm to approximate the behavioural pseudometric that is presented in [3]. The other 
algorithm can be found in [30] . 



More generally, de Alfaro [13] and Mclver and Morgan [27] have given real- valued interpretations to the 
modal mu-calculus following this pattern. Moreover, de Alfaro has shown that the behavioural pseudometrics 
induced by mu-calculus formulae agree with those of [18]. 
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2. Systems and pseudometrics 

Some basic notions that will play a role in the rest of this paper are presented below. 
First we introduce the systems of interest: probabilistic transition systems. 

Definition 2.1. A probabilistic transition system is a tuple (S,tt) consisting of 

• a finite set S of states and 

• a function tt : S x S — > [0, 1] n Q satisfying J2s'es n ( s > s ') e {A !}• 
We write s — ► if X^s'es 7r ( s ' s ') = 1 an d s A if Ss'eS 7r ( s ' s ') = 

For states s and s', tv(s,s') is the probability of making a transition to state s' given 
that the system is in state s. Each state s either has no outgoing transitions (s ■/+) or 
a transition is taken with probability 1 (s — >). To simplify the presentation, we do not 
consider the case that a state s may refuse to make a transition with some probability, that 
is, ^2 s / eS 7r(s, s') € (0, 1). However, all our results can easily be generalized to handle that 
case as well (see |30J). We also do not consider transitions that are labelled with actions. 
All our results can also easily be modified to handle labelled transitions (see |30j). In the 
labelled case, the definition of probabilistic transition system is a mild generalisation of the 
notion of Markov chain. 

We restrict to rational transition probabilities in order that probabilistic transitions 
systems be finitely represent able. Here we assume that rational numbers are represented 
as pairs of integers in binary. We believe that the algorithm presented in this paper could 
be adapted to accommodate transition probabilities that are algebraic numbers, but we do 
not pursue this question here. 

In the rest of this paper, we will use the following probabilistic transition system as our 
running example. 

Example 2.2. We consider a probabilistic transition system with five states: s\, S2, S3, S4 
and S5. The following table contains the transition probabilities and, hence, captures tt. 





Sl 


•52 
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S5 
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10 



•1 

5 
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5 

1 



1 

5 
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The probabilistic transition system can be depicted as the following graph. 



2 

5 




1 S3 s 4 s 5 1 

We consider states of a probabilistic transition system behaviourally equivalent if they 
are probabilistic bisimilar |26j . 

Definition 2.3. Let (S,tt) be a probabilistic transition system. An equivalence relation 
1Z on the set of states S is a probabilistic bisimulation if si 7Z S2 implies YlseE 7r ( s i> s ) = 
X^sge 7r ( s 2) s) for all ^-equivalence classes E. States S\ and S2 are probabilistic bisimilar, 
denoted si ~ S2, if si TZ S2 for some probabilistic bisimulation 7Z. 
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Note that probabilistic bisimilar states si and S2 have the same probability of transi- 
tioning to an equivalence class E of probabilistic bisimilar states. 

Example 2.4. Consider the probabilistic transition system of Example 12.21 The smallest 
equivalence relation containing (s3,ss) is a probabilistic bisimulation. Hence, the states S3 
and S5 are probabilistic bisimilar. 

The behavioural pseudometrics that we study in this paper yield pseudometric spaces 
on the state space of probabilistic transition systems. 

Definition 2.5. A 1-bounded pseudometric space is a pair (X, dx) consisting of a set X 
and a distance function dx X X X — ► [0, 1] satisfying 

(1) for all igl, dx(x, x) = 0, 

(2) for all x, y G X, dx(x,y) = dx(y,x), and 

(3) for all x, y, z G X, d x (x, z) <d x (x,y)+ d x (y,z). 

Instead of (X, dx ) we often write X and we denote the distance function of a metric space 



Example 2.6. Let X be a set. The discrete metric dx ■ X x X — > [0, 1] is defined by 



A (1-bounded) pseudometric space differs from a (1-bounded) metric space in that 
different points may have distance zero in the former and not in the latter. Since differ- 
ent states of a system may behave the same, such states will have distance zero in our 
behavioural pseudometrics. 

In the characterization of a behavioural pseudometric in Section 0] nonexpansive func- 
tions play a key role. 

Definition 2.7. Let X be a 1-bounded pseudometric space. A function / : X — ► [0, 1] is 

nonexpansive if for all x\, X2 G X, 

|/Oi) - / (2:2)1 < dx{xi,x 2 ). 
The set of nonexpansive functions from X to [0, 1] is denoted by X — ?>= [0, 1] . 

Example 2.8. If the set X is endowed with the discrete metric, then every function from 
X to [0, 1] is nonexpansive. 



Desharnais, Gupta, Jagadeesan and Panangaden [18] introduced a family of behavioural 
pseudometrics for probabilistic transitions systems. Below, we will briefly review the key 
ingredients of their definition. 

To define their behavioural pseudometrics, Desharnais et al. defined a real-valued se- 
mantics of a variant of Larsen and Skou's probabilistic modal logic [26]. We describe this 
variant, adapted to the case of unlabelled transition systems, in Definition 13.11 

Definition 3.1. The logic L is defined by 



Xhydx- 




3. Behavioural pseudometrics 



ip ::= true [ 0^ | f A (p j -xp \ <p Q q 



where q G [0, 1] n Q. 
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The main difference between the above logic and the one of Larsen and Skou is that 
we have Oy? and if Q q whereas they combine the operators and Qq into one. Since they 
consider labelled transitions, they use the notation (a) q for this combined operator. 

Desharnais et al. provided a family of real-valued interpretations of the logic. That is, 
given a probabilistic transition system and a discount factor <5, the interpretation gives a 
quantitative measure of the validity of a formula ip of the logic in a state s of the system. 
The interpretation [(^^(s) is a real number in the interval [0, 1]. It measures the validity of 
the formula ip in the state s. This real number can roughly be thought of as the probability 
that <*p is true in s. 

Definition 3.2. Given a probabilistic transition system (S, it) and a discount factor 5 G 
(0, 1], for each ip G £, the function {(pjg : S — > [0, 1] is defined by 



Example 3.3. Consider the probabilistic transition system of Example E2J For this system, 
[OtruejaOa) = 6 and [0true] 5 (s 4 ) = 0. 

Given a discount factor 5 € (0, 1] , the behavioural pseudometric d$ assigns a distance, a 
real number in the interval [0, 1], to every pair of states of a probabilistic transition system. 
The distance is defined in terms of the logical formulae and their interpretation. Roughly 
speaking, the distance is captured by the logical formula that distinguishes the states the 
most. 

Definition 3.4. Given a probabilistic transition system (S, it) and a discount factor 5 € 
(0, 1], the distance function dg : S X S — *■ [0, 1] is defined by 

ds(si,s 2 ) = sup[¥>],s(si) - l<p}s(s2:)- 

Example 3.5. Consider the probabilistic transition system of Example 12.21 For example, 
the states S3 and S4 are 5 apart. This distance is witnessed by the formula Otrue. The 
distanced are collected in the following table. Since a distance function is symmetric and 
the distance from a state to itself is zero, we do not give all the entries. 





Si 




S2 


S3 


s 4 


S2 

S3 
S 4 

S5 


25S' 2 


-25 4 








125-255- 
25 3 


355 2 +75 3 


55 2 






25-75 2 
5 

25 3 




25-75 2 

5 

55 2 


6 



6 


25-75 2 




25-75 2 





Proposition 3.6 ([181 Theorem 5.2]). d$ is a 1-bounded pseudometric space. 
Proof. First, observe that 



2 These distances were obtained by ad- hoc methods including Proposition IB. 51 and checked for numerous 
different discount factors using the algorithm described in [7]. 



[trueMs) 

[0<pMs) 
I^a4(s) 

yeqjs(s) 



mm{M s (s),Ms(s)} 
1 " Ms(s) 
m&x{lip} 5 (s) - q,0} 



1 



Ms(si) - Ms(s 2 ) = hpHs2) - hMsi)- 
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As a consequence, we can replace [[(/^(si) — [v?l<s( s 2) i n the definition of d$ with |[[</?]]<5(-si) — 
M <s (-52 ) | - Checking now that d$ satisfies the three conditions of Definition 12.51 is straight- 
forward. □ 

States having distance zero defines an equivalence relation. That is, for a pseudometric 
d on states, the relation =^ on states defined by 

si =d S2 if d(s 1 ,s 2 ) = 

is an equivalence relation. We denote the equivalence class that contains the state s by [s]d, 
that is, 

[s] d = {s' eS\d(s,s') = 0}. 
Each behavioural pseudometric dg is a quantitative analogue of probabilistic bisimilar- 
ity This behavioural equivalence is exactly captured by those states that have distance 
zero. 

Proposition 3.7 ([181 Theorem 4.10]). Given a probabilistic transition system {S,tt} and 
a discount factor 5 E (0, 1], 

=d s = ~- 

Proof. We split the proof in two parts. 

• Assume that s± ~ s 2 . It suffices to show that [[(^(si) = [[(/?] ,5 (52) for all ip E C. We can 
prove this by structural induction on 99. We focus here on the only nontrivial case: §(p. 
Let {Ei I i E /} be the ~-equivalence classes. Assume that e« is an element of Ei. By 
induction, the function \(p\& restricted to Ei is constant. Hence, 

= ^EE 7 ^*^) 
= ^E^ 5 ^) E 7r ( s i' s ) 

iei s<=Ei 
= ^E^ 5 ^ E 7I "( S 2^) [si~S 2 ] 

= 10<pMs 2 ). 

• We show that the relation =d s is a probabilistic bisimulation. Obviously, =d 5 is an 
equivalence relation. Assume that s\ =d s s 2 . That is, ds(si,s 2 ) = 0. Let E be an =d s - 
equivalence class. Without loss of any generality, we may assume that E is of the form 
[s]d s - From the definition of ds we can infer that all states in [s]d s assign the same value 
to each formula. For each state s' E" [s]d s there exists a formula (p s > such that [c/v]](5(s) 7^ 
[[yvjisty). Without loss of any generality, we may assume that [wlKs) > [wl^s')- 
Hence, there exists a rational q s i in [0, 1] such that [(/?s'0<?s']<5(-s') = and lip s rQq s iJs(s)>0. 
Now consider the formula 
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Then [^l<s( s ") > iff s" € [s]d s - As a consequence, 

%i*(s) Y n ( s i' s ') 

= s Y 7r ( s i' s ')M<5(s / ) 

= 8 Y t(«i/)H«(0 [fo>M«") = o fOT a11 s " t M*] 

s"es 
= [0<pMsi) 

= lOMs 2 ) [d s (s 1 ,s 2 ) = 0} 

= SMsis) Y V(S2,S'). 

s'e[s] dg 

Therefore, Y2 s 'e[s] d n ( s ii s ') = S s 'g[s] d 7T ( s 2iS l ) and, hence, =d s is a probabilistic bisim- 
ulation. □ 

In [16], Desharnais et al. present a decision procedure for the behavioural pseudometric 
d$ when 5 is smaller than one. Let us briefly sketch their algorithm. They define the depth 
of a logical formula as follows. 

depth(true) = 

depth(0</?) = depth(v?) + 1 

depth(y? A ifj) = max{depth((^), depth(V')} 

depth(-K^) = depth(</?) 

depth(c^ Q q) = depth(y?) 

One can easily verify that [(/^(si) — Ma^) < jdepth^) £ Qr g^jj ^ g £ This suggests that 
one can compute ds to any desired degree of accuracy by restricting attention to formulae 
<p of a fixed modal depth. Clearly, there exist infinitely many formulae of each fixed modal 
depth. Nevertheless, Desharnais et al. show how to construct a finite subset J~ n of the 
logical formulae of at most depth n such that 

ds(s 1 ,s 2 ) - sup [v?J<j(si) - M<5(«2) < 5 n . 

In this way, ds(s\,S2) can be approximated up to arbitrary accuracy provided 5 is smaller 
than one. 

4. A FIXED POINT CHARACTERIZATION AND ITS DUAL 

For the rest of this paper, we focus on the behavioural pseudometric that does not 
discount the future. That is, we concentrate on the pseudometric d\. Below, we present an 
alternative characterization of this pseudometric. In particular, we characterize d\ as the 
greatest (post-)fixed point of a function A from a complete lattice to itself. This character- 
ization can be viewed as a quantitative analogue of the greatest fixed point characterization 
of bisimilarity [29] . 

We also dualize the definition of A exploiting the Kantorovich-Rubinstein duality the- 
orem |25j. As we will see in Section [5l this dual characterization will allow us to define A 
as the solution to a minimization problem rather than a maximization problem, as above. 
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In turn this will allow us to capture the fact that a pseudometric is a post-fixed point of A 
in the existential fragment of the first order theory over real closed fields. 

For the rest of this paper, we fix a probabilistic transition system (S, it). We endow the 
set of pseudometrics on S with the following order. 

Definition 4.1. The relation C on 1-bounded pseudometrics on S is defined by 

di C d2 if di(si,S2) > ^2(^1,32) for all s 1; S2 € S. 

Note the reverse direction of C and > in the above definition. We decided to make 
this reversal so that d\ is a greatest fixed point, in analogy with the characterization of 
bisimilarity, rather than a least fixed point. This choice has no impact on any results in 
this paper. 

Proposition 4.2 ([13 Lemma 3.2]). The set of 1-bounded pseudometrics on S endowed 
with the order C forms a complete lattice. 

Proof. Obviously, C is a partial order. The top element is the 1-bounded pseudometric T 
defined by 

T( Sl ,s 2 ) = 0. 

The bottom element is the 1-bounded pseudometric _L defined by 



\ s i, s 2) <i y otherwise. 



Let D be a nonempty set of 1-bounded pseudometrics on S. The meet of D is the 1-bounded 
pseudometric \~] D defined by 

(\~\D)(si,s 2 ) = sup d(s 1 ,s 2 ). 

The join of D can be expressed in terms of the meet of D (see, for example, \\.2\ Lemma 2.15]). 

□ 

Whereas meets of pseudometrics are computed pointwise using the supremum on [0,1], 
joins of pseudometrics are not. 

Next, we introduce a function from this complete lattice to itself of which the be- 
havioural pseudometric d\ is the greatest fixed point. 

Definition 4.3. Let d be a 1-bounded pseudometric on S. The distance function A(d) : 
S x S -»■ [0, 1] is defined by 



A(d)(si, s 2 ) = max < ^ f(s)(ir(si, s) - vr(s 2 , s)) 



/€(5,d)Hf=[0,l] 



if si — > and s 2 and A(d)(si,s 2 ) 



if si 7^ and s 2 7^- 

1 otherwise. 



Note that we can write max above rather than sup since (5, d) — ^= [0, 1], being a closed 
subset of the product space [0, l] s , is compact. 

The functional A is closely related to the Kantorovich metric |24j on probability mea- 
sures. In the definition of that metric, nonexpansive functions play a key roleU 



^The Kantorovich metric is the smallest distance function on probability measures for which integration 
of nonexpansive functions is nonexpansive. 
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Proposition 4.4. A(cf) is a 1-bounded pseudometric on S. 

Proof. Note that / G (S, d) -S>= [0, 1] implies 1 - / e (S, d) [0, 1]. Furthermore, if si 
and s 2 — ► then 

^(l-/)( S )(vr( Sl , S )-vr( S2 , S )) 

se5 se5 se5 

As a consequence, if si — > and s 2 — ► then 



A(d)(si, S2) = max 



/€(5,d)-^[0,l] 



/(s)vr(si, s) - ^ /(s)tt(s 2 , s) 

Now that we have this alternative representation of A(d), checking that it satisfies the three 
conditions of Definition 12.51 is straightforward. □ 

Proposition 4.5 ([U Proposition 38]). A is order-preserving. 

Proof. Let d\ and d 2 be 1-bounded pseudometrics on S with d\ C d 2 . Note that any function 
<S — > [0, 1] that is nonexpansive with respect to d 2 is also nonexpansive with respect to d\. 
Therefore A(d 2 )(si, s 2 ) < A(di)(si, s 2 ) for all si, s 2 € 5 since the latter involves taking the 
max over a larger set. □ 

Since A(d) is a 1-bounded pseudometric on S and A is order-preserving, we can conclude 
from Tarski's fixed point theorem |32[ Theorem 1] that A has a greatest fixed point. We 
denote the greatest fixed point of A by gfp(A). This greatest fixed point of A is also the 
greatest post-fixed point of A (see, for example, [T21 Theorem 4.110). 

Theorem 4.6. d\ = gfp(A). 

Proof. We first prove that d\ is a post-fixed point of A. That is, we show that A(d±)(si, s 2 ) < 
^i(si,s 2 )- T° P rove this, we distinguish the following three cases. 

• If s% ■/* and s 2 /> then the property is vacuously true. 

• If s\ ■/* and s 2 — or si — > and s 2 then the formula Otrue witnesses that the states 
si and s 2 have distance one. 

• Assume that si — > and s 2 — According to [6l Proposition 39], the set { [</?]] 1 | 99 € C } 
is dense in (S, d\) — ^= [0, 1], that is, each / € (5, cfi) — fc= [0, 1] can be approximated up to 



is a post-fixed point of A if d C A(d). In |12l page 94], such a d is called a pre-fixpoint. 
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arbitrary accuracy by some {(fji. As a consequence, 

/ G (S, d\ 



max <^ /(s)(vr(si, s) - vr(s 2 , s)) 

= max I 2Mi(s)(7r(si, s) - tt(s 2 , a)) 

i S ff ( a i> a )Mi( a )-£^( s 2,a)[¥>Ii(* 



[0,1] 



f G c 



max 



y? g £ 



0»a) 



V? G £ 



= max | [O^li(si) - 
< di(si,s 2 ). 

Next we prove that cii is the greatest post-fixed point of A. Assume that d is a post- 
fixed point of A. We have to show that d C d\. That is, a?i(si,,s 2 ) < d(si,s 2 ). We restrict 
our attention to the case that si — ► and s 2 — >• It suffices to show that 

Mi(si)-MiW <d(«i,« 2 ) 
for all (p £ C This can be proved by structural induction on y>. We consider only the 
nontrivial case: §ip. 

[0p]i(*i)-[0d]i(*2) 

= ^vr(si,s)[[^i(s) -^7r(s 2 ,s)[^]i(s) 
= ^Mi(s)(tt(si,s) -tt(s 2 ,s)) 



se5 



< max< ^2f(s)(jr(si,s) -n(s 2 ,s)) 

[ ses 

[by induction, [</j]i £ (5, d) [0, 1]] 
= A(d)( Sl ,s 2 ) 

< s 2 ) [d is a post-fixed point of A] 



f€(s,d)-* [0,1] 



□ 



A similar result can be obtained by combining Theorem 40 and 44 of [4]. 

Let us recall (a minor variation of) the Kantorovich-Rubinstein duality theorem. Let X 
be a 1-bounded compact pseudometric space. Let pL\ and /u 2 be Borel probability measures 
on X. We denote the set of Borel probability measures on the product space with marginals 
fii and fi2, that is, the Borel probability measures \i on X 2 such that for all Borel subsets 
B of X, 

H(B x X) = m(B) and fj,(X x B) = /U 2 (-B), 
by Hi ® fj,2- The Kantorovich-Rubinstein duality theorem tells us 



max 



x 



X 



f G X [0, 1] 



mm 



A 2 



dxdfi 



M G A*i (8) M2 
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The following proposition, which is a consequence of the Kantorovich-Rubinstein duality 
theorem, defines A(d) as a minimum as opposed to the maximum in Definition 14.31 

Proposition 4.7 (0 Corollary 19]). Let d be a 1-bounded pseudometric on S. Let s\, 
S2 G S such that s% — * and s 2 Then 

A(d)(si,s 2 ) = min < ^ d(si,Sj)fi(si,Sj) \i G ir(sx, ■) <g> 7r(s 2 , ■) 

[ (s llSj )GS 2 

where n G tt(si, •) <8 7r(s 2 , ■) i/ 

Vsj G 5 /x(si, Sj) = 7r(si, Sj) A Vsj G 5 yu(sj, Sj) = 7r(s 2 , Si). 

Proof. Since the set S is finite, the space (S, d) is compact. The probability distributions 
7r(si, •) and vr(s2, •) define Borel probability measures on (S,d). Applying the Kantorovich- 
Rubinstein gives us the desired result. □ 



5. The algorithm 

Before we present our algorithm, we first show that the fact that a pseudometric is 
a post-fixed point of A can be expressed in (the existential fragment of) the first order 
theory over real closed fields. This will allow us to exploit Tarski's decision procedure to 
approximate the behavioural pseudometric. 

For the rest of this paper, we assume that the probabilistic transition system (S, ir) has 
./V states si, s 2 , • • • , sjy. Instead of n(si,Sj) we will write tt^. We represent a 1-bounded 
pseudometric on the set S of states of the probabilistic transition system, as (the values of) 
a collection of real valued variables d^. 

The fact that d is a 1-bounded pseudometric can now be captured as follows. 

Definition 5.1. The predicate pseudo(<i) is defined by 

pseudo(d) = A dij > A d^ < 1 A 

l<ij<N 

y\ da = A y\ dij = dji A /\ d hj < d hi + dij 

l<i<N l<i,j<N l<h,i,j<N 

Furthermore, the fact that d is a post-fixed point of A can be captured as follows. 
Definition 5.2. The predicate post-fixed (d) is defined by 
post-fixed(ci) 

— /\ post-fixed 1 (d, iq, j'o) V post-fixed 2 (d, io,jo) V post-fixed 3 (d, io,jo) 
l<ia,jo<N 
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where 

post-fixed 1 (ei,io,jo) = 7Ti o i > A n ioj > A 

l<i<N l<j<N 

3(fHj)l<iJ<N f\ fHj >0A/iy<l 

l<ij'<JV 

A X] = ^ A 

1<3<N l<i<N 

A ^ = n 3oi A 

l<i<N l<j<N 

l<i>j<N 

post-fixed 2 (d,i , j ) = X] ^o* = A = A - 

l<i<N l<j<N 

post-fixed 3 (d,i , jo) = [ [ 5^ 7r ioi > A ^ ir Jo j=0 V 

ioi = A 2 ^ > A 
i<j<iV / / 

WO 

Now we are ready to present our algorithm. Consider the states Sj and sj . We restrict 
our attention to the case that s, — » and s 3 - — >. In the other cases the computation of the 
distance is trivial. 

In our algorithm, we use the algorithm tar ski that takes as input a sentence of the 
first order theory of real closed fields and decides the truth or falsity of the given sentence. 
The fact that there exists such an algorithm was first proved by Tarski [31] . 

Let e be the desired accuracy. That is, we want to find an interval [^o ; ^o] Q [0, 1] such 
that uq — £q < e and d\(si ,Sj ) € [^o^o]- The algorithm approximate takes as input an 
interval [£,u] C [0,1] such that di(sj , Sj Q ) S [t,u] and returns the desired result. As a 
consequence, approximate(0, 1) returns an approximation of di(si Q ,Sj ) with accuracy e. 

approximate (£, u) : 
if u - £ < e 

return [£, u] 
else 

m = 




if tarski (3(f pseudo(cT) A post-fixed (d) A di j < m) 

return approximate (£, m) 
else 

return approximate (m, u) 
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Note that the argument of tarski is a sentence that is part of the existential fragment 
of the first order theory over real closed fields. For this fragment there are more efficient 
decision procedures than for the general theory (see, for example, [2]). 

Let us sketch a correctness proof of our algorithm. Assume that di(si , Sj ) G [£, u}. We 
distinguish the following three cases. 

• If u — £ < e, then the algorithm obviously returns the desired result. 

• Assume that u—£>e and suppose that tarski returns true. Then there exists a 1-bounded 
pseudometric d that is a post-fixed point of A and d(si , Sj ) < m. Since d\ is the greatest 
post-fixed point of A, we have that d C d\. Hence, di(si ,Sj 

s «cn s jo) — m - By 

assumption di(si ,Sj ) G [£,u], therefore d%(si ,Sj ) £ [£, m]. 

• Assume that u — £ > e and suppose that tarski returns false. Then d(si , Sj ) > m for 
every 1-bounded pseudometric d that is a post-fixed point of A. Since d± is a post-fixed 
point of A, we have that di(si ,Sj ) > m. By assumption di(si ,Sj ) € [£,u], therefore, 
di(si ,Sj a ) e [m,u\. 

Obviously, the algorithm terminates. 

6. Conclusion 

This paper combines a number of ingredients, known already for a long time, including 
the Kantorovich-Rubinstein duality theorem of the fifties, Tarski's fixed point theorem of 
the forties and Tarski's decision procedure for the first order theory of real closed fields of 
the thirties. We show that the behavioural pseudometric d\, which does not discount the 
future, can be approximated up to an arbitrary accuracy. While the combination of the 
above results into a decision procedure for the pseudometric is not technically difficult, we 
do solve a problem that has been open since 1999. Most of the results in Section [3] and 0] are 
(variations on) known results. As far as we know, the results in Section [5] and Appendix [Bl 
are new. The techniques exploited in this paper have also been used to approximate other 
behavioural pseudometrics that do not discount the future such as, for example, the one 
presented in [3]. Furthermore, our algorithm can easily be adjusted to the discounted case. 

Since the satisfiability problem for the existential fragment of the first order theory of 
real closed fields is in PSPACE, it is not surprising that our algorithm can only handle 
small examples as we have shown in Appendix [Bj As a consequence, the quest for practical 
algorithms to approximate d\ is still open. Since the closure ordinal of A is to, as proved in 
Appendix El an iterative algorithm might be feasible. 

As future work, we plan to apply our techniques to obtain approximation algorithms 
for other behavioural pseudometrics such as, for example, the one for systems that combine 
nondeterminism and probability presented in [15J and the pseudometric for weak probabilis- 
tic bisimilarity in [17] . In the latter case the pseudometric can be characterized as the fixed 
point of a functional based on the Kantorovich and Hausdorff metrics. These can easily be 
encoded in the first-order theory of the reals. However, the need to consider the transitive 
closure of the silent transition relation suggests that some non-trivial extension of the work 
presented here is called for. 
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Appendix A. Closure ordinal of A 

The greatest fixed point of an order-preserving function on a complete lattice can be 
obtained by iteration (see, for example, \12\ Exercise 4.13]). 

Definition A.l. For each ordinal a, the 1-bounded pseudometric d a on S is defined by 

d° = T 
d a+1 = A(d a ) 

dP = [~\d a if (3 is a limit ordinal 

As we will see in the next example, for some systems we need at least lo iterations to 
reach the greatest fixed point of A. 

Example A. 2. Consider the system of Example 12.21 For all n, 

d n +i(si,s 2 ) = 1 + §d„(si,S3) 

d n+ i(s 2 ,s 3 ) = I + ^d n (s 1 ,s 3 ) 
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Hence, for this system we need lo iterations. 

In the rest of this appendix, we prove that we need at most uj iterations for any system. 
This tells us that the closure ordinal of A is u, that is, A(d UJ ) = d? . As a consequence, 
d u is the greatest fixed point of A (see, for example, |X2(, Example 4.13]). As we will see 
below, the fact that d u is a fixed point of A follows from the facts that A is order-preserving 
(Proposition I4.5| ) and Lipschitz (Proposition IA.6]) . 

In |17j page 418], Desharnais et al. state that a functional similar to A has closure 
ordinal u. 

Recall that for a pseudometric d, the equivalence relation = d relates states that have 
distance zero. From each equivalence class [s] d we pick a designated state which we denote 
by (s) d . Hence, (s) d G [s] d and also d(s, (s) d ) = 0. 

Proposition A. 3. For all s±, s 2 G S, 

d({si)d, {sz)d) = d(si,s 2 ). 

Proof. 

d((si) d , (s 2 )d) 

< d({si) d , si) + d(st,s 2 ) + d(s 2 , (s 2 ) d ) 
= d(si,s 2 ) 

< d(si, (si) d ) + d((si) d , (s 2 ) d ) + d((s 2 ) d , s 2 ) 
= d({si) d ,{s 2 ) d ). 



□ 



Let di C d 2 . The ratio p(d±,d 2 ) of d\ and d 2 is defined by 

d 2 {s\,s 2 ) 



p(di, d 2 ) = min 



d 2 (si,s 2 ) > 



d\(si,s 2 ) 

Note that we never divide by zero since d\ C d 2 and, hence, d\(s%, s 2 ) > d 2 (s\, s 2 ). 

Below, we will use the convention that the minimum of the empty set is one and the 
maximum of the empty set is zero. 

Given pseudometrics d\ and d 2 such that d\ C d 2 and given an / G (S, di) — ^= [0, 1], we 
next show that there exists a gj £ (S,d 2 ) — > [0, 1] that is nonexpansive. 

Proposition A. 4. Let d\ C d 2 and f G (S, d±) — V [0, 1]. Let gj : S — > [0, 1] be defined by 

9f(s) = p(d 1 ,d 2 )f((s) d2 ). 

Then g f G (S,d 2 ) [0,1]. 

Proof. Let s±, s 2 G S 1 . We have to show that 

l5/0l) - 9f{s2)\ < d 2 (si,s 2 ). 

We distinguish two cases. If d 2 (si,s 2 ) = then {si) d2 = {s 2 ) d2 and, hence, f({si) d2 ) = 
f((s 2 )d 2 ). Therefore <7/(si) = gj{s 2 ) and, hence, the property is vacuously true. Let 
^2(51,^2) > 0. According to Proposition IA.31 ^((si)^' ( s 2)d 2 ) > 0- Also di(si,S2) >0 since 
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di E d 2 , and 

\9f(si) -9f(s 2 )\ 
= \p{di,d 2 )f{(si) d2 ) - p(di,d 2 )f((s 2 )d 2 )\ 
= p(d 1 ,d 2 )\f{{s 1 ) d2 ) - f({s 2 ) d2 )\ 
< p(di,d 2 )di({ Sl ) d2 ,{s 2 ) d2 ) [f G (S, di) — ^= [0, 1]] 

, d 2 ((si) d2 , (s 2 )d 2 ) ^ > i a \ \ 

* d 1 « ai ) da ,( S2 ) d2 ) dl((Sl) « ia ' <a2> ' i2) 

= d 2 ((si)d 2 , (s 2 )d 2 ) 

= d 2 (si,s 2 ) [Proposition IA.3] 

Next, we bound f — 9f from above. 

Proposition A. 5. Let d\ C d 2 and / € (S'jdi) — ^= [0,1]. Zei = min{ di(s\, s 2 ) 
di(s\, s 2 ) > 0}. Then 

f( s ) ~ 9f(s) < max di(si,s 2 ) -d 2 (s[,s' 2 ) 

p Sj^SjGS 

for all s € S. 

Proof. Let s £ S. Then 

= f(s)-p(d 1 ,d 2 )f((s) d2 ) 

= (/(*) - /««>*)) + (/«*>*) - P(di, d2)/«s>«fa)). 



□ 



Furthermore, 



m-f((s) d2 ) 

< d 1 ( s ,(s)d 2 ) [/ e(£di) -^[0,1]] 

= di(s,(s) da ) - d 2 (s,(s) d2 ) [d 2 (s,(s) d2 ) = 0] 

< max di(>i,4) - <fc(s'i,4) 



and 



f(( s )d 2 ) ~ p(di,d 2 )f({s) d2 ) 

< l-p(d 1 ,d 2 ) 

, d 2 {s\,s 2 ) 
1 — mm ' 



max 



di0i,s 2 ) 
di(si,s 2 ) 



d 2 (si,s 2 ) >o| 

d 2 (si,s 2 ) > 



< imax{di(si,s 2 ) - d 2 (si,,s 2 ) | d 2 (si,,s 2 ) > 0} 
A 1 

< - max di (s[ , s' 2 ) - d 2 , s' 2 ) . 



□ 
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Now we can prove that A is Lipschitz, that is, 

max A(di)(si, s 2 ) - A(d 2 )(si, s 2 ) < A max di(s[, s 2 ) — d 2 (s[, s 2 ). 
si,s2&s s[,s' 2 es 

for some constant A. 

Proposition A. 6. Let d\ □ d 2 . For all s\, s 2 € S, 

A(di)(si, s 2 ) - A(d 2 )(si,s 2 ) < \S\ - + 1 max di(s[, s 2 ) - d 2 (s' 1 , s 2 ). 

/X s[,s 2 eS 

Proof. Let s±, s 2 G <S. Then 

A(di)(si,s 2 )-A(d2)(si,s 2 ) 



max < ^/(s)(vr(si,s) -vr(s 2 ,s)) 

max < ^5(s)(vr(si,s) - n(s 2 ,s)) 
{ ses 

max < min < ^ /(s)(vr(si, s) - ir(s 2 ,s)) - ^ g(s)(ir(s!, s) - vr(s 2 ,s)) 
I I seS ses 



f G (S, di) — ^= [0, 1] 
ffG(5,rf 2 )^[0,l] 



5 G (5,da)-^ [0, 1] 



/e(5,d!)^[0, 1] 



max < min < ^(/(s) - g(s))(n(si, s) - vr(s 2 , s)) 
I I ses 



ge(S,d 2 )^ [0,1] 



/e(S,di)-*=[0,l] 



< max < ^)(/(s) - (/ / (s))(vr(si, s) - tt(s 2 , s)) 

I ses 
[Proposition IA.4j 

< max I ^2f(s) - g f (i 

{ ses 



f € (S, d\) [0, 1] 



/€ (5,4)^(0, 1] 



,At + 1 



□ 



< IS") max c?i(s 1; s 2 ) — d 2 (si, s 2 ) [Proposition [X5] 

si,4es 

Finally, we prove that the closure ordinal of A is uo. 
Proposition A. 7. A(d w ) = d u . 

Proof. First, we show that A{d u) ) C cT. By definition, d" = \~\ n€uJ d n C d™ for all n G cj. 
Since A is order-preserving, A(d UJ ) C A((f n ) = <i n+1 for all new. Obviously, A(cT) C d°. 
Therefore, A(d w ) is a lower bound of { d n \ n £ uj }. Since d w is the greatest lower bound 
by definition, A(gT) C gT. 
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We have left to show that A(gT) □ d", that is, A{d u) ){si, s 2 ) < d w (si,s 2 ) for all si, 
S2 S S. Let si, S2 G S. Let e > 0. It suffices to show that there exists an n such that 
A(d UJ )(s 1 ,s 2 ) - d n+1 (si, s 2 ) < e. Let \i = min{ <F(su s 2 ) \ d u3 (s 1 ,s 2 ) > }. Since the set S 
is finite, for every 5 > there exists an n such that for all s' 1} s' 2 G S, 

Here we pick 5 to be From Proposition IA.6I we can conclude that 

A(d w )( Sl ,s 2 )-d n+l (s u s 2 ) 
= A(d»)(s 1 ,s 2 )-A(d n )(s 1 ,s 2 ) 
< e. 

□ 

Appendix B. An implementation in Mathematica 

A decision procedure for the first order theory of real closed fields based on quantifier 
elimination was first given by Tarski [3T]. A number of algorithms have been developed 
thereafter for the theory (see, for example, [2j 125])- Collin's algorithm is implemented 
in the tool Mathematica and can be used for solving our formulae. However, it works for 
very small examples and therefore it is essential to simplify the formula and reduce its size 
to make it solvable. To simplify the formula, we first compute some of the distances using 
the following results. 

Proposition B.l. 

• If s\ -/-> and s 2 -f* then di(si,s 2 ) = 0. 

• If s\ -f+ and s 2 — >, or s\ — > and s 2 then di(si,s 2 ) = 1. 

Proof. We only consider the first case. The second one can be proved similarly. If s± -f* 
and s 2 then 5(si,s 2 ) = A(5)(si, s 2 ) = 0. □ 

Example B.2. Consider the probabilistic transition system of Example 12.21 State S4 has 
distance one to all other states. 

Next, we present a simple characterization of the distance between a state that never 
terminates (that is, the probability of reaching a state with no outgoing transitions is zero) 
and another state. 

Given a state s and n E uj + 1, r n (s) is the probability of terminating in less than n 
transitions when started in s. 

Definition B.3. For each n £ uj + 1, the function r n : S — > [0, 1] is defined by 

T (S) = 

/ 1 if s y4 

Tn+i{s) - I ^ s , 6S ^( S , S ')r n (s / ) otherwise 

Tu(s) = SUp n&; T„(s) 

Example B.4. Consider the probabilistic transition system of Example 12.21 Then we have 
that r w (si) = 3, r w (s 2 ) = ^, r w (s 3 ) = 0, r w (s 4 ) = 1 and t u (s 5 ) = 0. 
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Obviously, for a state s without outgoing transitions, we have that r w (s) = 1. For a 
state s that cannot reach any state without outgoing transitions, we have that r w (s) = 0. 
For the remaining states, we can compute the probability of termination using standard 
techniques as described in, for example, \22\ Section 11.2]. 

Proposition B.5. If Tu(s 2 ) = then di(si,s 2 ) = t w (si). 

Proof. Assume that t u1 {s 2 ) = 0. We prove that for all n G u + 1, 

d n (s 1 ,s 2 ) = r n (si) 

by induction on n. 

• Obviously, d°(si,s 2 ) = = tq{s\). 

• We have to prove that d n+l {s\, s 2 ) = T n +i(si). We distinguish the following two cases. 

- If si -f* then d n+1 (si,s 2 ) = 1 = r n+ i(si). 

— Now let us assume that s± —*. First we show that r n as a function from (S, d n ) to [0, 1] 
is nonexpansive. For all s, s', 

|T n (s) — T n (s')\ = \cT(s,s 2 ) - d n (s',s 2 )\ [induction] 
< d n (s,s') [triangle inequality] 

Since 

d n+1 ( Sl ,s 2 ) 
= A(d n )( Sl ,s 2 ) 

> T n (s) (7r(si , s) — ir(s 2 ,s)) [r„ is nonexpansive] 

seS 

= y~] Tn(s)ir(si, s) - y~] r n (s)7r(s 2 , s) 
seS seS 

= T n+ l(si) - T n+ i(s 2 ) 

= r n+ i(si) [r u (s 2 ) = and, hence, r n+1 (s 2 ) = 0] 
Let / G (S, d n ) -fc= [0, 1]. For all s, 

/(*) " f(s2) < \f(s) ~ f(s 2 )\ < d n ( S , S 2 ) = T n (s). 

As a consequence, 

^/(s)(vr(si,s) - vr(s 2 ,s)) 



■ses 



/(sMsi; s ) ~ f(s)n(s 2 , s) 
seS ses 

- f(s 2 ))n( Sl ,s) - - /( S2 ))tt( S2 , a) 



[E se <? /( s 2>r(si> s) = f(s 2 )] 
= ^(/( S )-/( S2 ))(vr( S i, S )-7r( S2 , S )) 

< ^Tn(s)(7r(si,s) _7r ( S 2,s)) 
sGS 

= r n+ i(si). 
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Since / was chosen arbitrarily, we can conclude that 

d n+1 (sus 2 ) <r n+1 (si). 

— Finally, 

d w (si,s 2 ) = supd n (si,s 2 ) 

n 

= supr ra (si) [by induction] 

n 

= T w (si). 

From Theorem 14,61 and Proposition IA,7l we can conclude that di(si,S2) = d UJ (si,S2) = 

Tuj(si). □ 

Example B.6. Consider the probabilistic transition system of Example 12 .21 From Proposi- 
tion lB.5l we can conclude that d\(s\, S3) = 5, di(s2> S3) = di(s4, S3) = 1 and di(ss, S3) = 
0. 

Given a probabilistic bisimulation 1Z, we can quotient the probabilistic transition system 
(S, it) as follows. 

Definition B.7. Let 7Z be a probabilistic bisimulation. The probabilistic transition system 
ttti) consists of 

• the set Stz = { [s] | s S 5 } of ^-equivalence classes and 

• the function irn : Sn x S-r, — > [0, 1] defined by 

^([s],[s'])= £ vr(s,s"). 

Note that the function tt-jz is well-defined since 7?. is a probabilistic bisimulation. We will 
apply the above quotient construction for probabilistic bisimilarity (which can be computed 
in polynomial time [TJ). 

Example B.8. Consider the probabilistic transition system of Example 12.21 The small- 
est equivalence relation containing {(s3,ss)} is a probabilistic bisimulation. The resulting 
quotient can be depicted as 




By quotienting, the number of states that need to be considered and, hence, the num- 
ber of variables in the formula may be reduced. However, we still have to check that 
the quotiented system gives rise to the same distances. Next we relate the behavioural 
pseudometric d\ of the original system (S, tt) with the behavioural pseudometric dfc of the 
quotiented system {S-ji, tt-ji) . 

Proposition B.9. For all si, S2 € S, dfc([si], [S2]) = di(si,S2)- 

Proof. First all, note that 

^vr(s,s')= J2 7r (s,s")= ^(NJs']). 

s'&S [s']eS n s"Ks' [s']eS n 
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As a consequence, we have left to consider the case si — > and S2 — >. We prove that for all 
n G u) + 1, c^([si], [s 2 ]) = <X[ (si, s 2 ) by induction on n. We distinguish the following three 
cases. 

• If n = then the property is vacuously true. 

• Assume that g^Qs'J, [s' 2 ]) = s' 2 ) for all s[, s' 2 G S. Let s±, S2 G <S. We have to prove 
that ci^ +1 ([si], M) = c^ +1 (si,S2)- In the proof of this case, we make use of the following 
two observations. For each / G (S-r, cBjQ — fc= [0, 1], there exists a g £ (S, d™) — ?>= [0, 1] such 
that g(s) = /([s]) for all s G S 1 , since 

| 5 ( S )- 5 ( S ')I = !/([*])- /Ml 

< dji(s,s') [f is nonexpansive] 
= di(s,s) [induction]. 

Similarly, we can show that for each g G (S 1 , cZ" )— ^= [0, 1], there exists / G (S^, c%)— ^= [0, 1] 
such that /([s]) = g(s) for all s G S. Note that if states s and s' are probabilistic 
bisimilar then di(s,s') = and, hence, eZ"(s,s') = and, therefore, g(s) = g(s')> since g 
is nonexpansive. 

4 +1 (N>N) 
= ato([ Si ],H) 



max < 



E /(H)(^(N,H)-^(N,M)) 



/G(5^,^)^[0, 1] 



= max < 



max < 



E /(H) E^*')-^,/)) 



E E/MW'i.aO-irteV)) 



/€(5 w ,c%)H^[0, 1] 



/G(^,^)^[0,1] 



max < E5 , (s)(tt(si,'5) - vr(s 2 ,s)) 



5 G(5,c^)^[0,l] 



= AK)( Sl)S2 ) 

= ^ +1 (S1, S2 ). 

• Furthermore, 

dU[si],[s 2 }) = sup^([ Sl ],H) 

n 

= supd^(si, s 2 ) [induction] 

n 

= di(si,S 2 ). 

To simplify the formula even further, we exploit the following three observations. 

• Since d is a pseudometric, d(si, Sj) = and d(si, Sj) = d(sj, Sj). Therefore, in pseudo(ii) A 
post-fixed(ci) we can replace all d^s with zero and all d^s where i > j with dj^s. As 
a consequence, we only need to consider di/s with i < j. This reduces the number of 
variables in the formula considerably. 



□ 
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• Let C be the set of pairs of states for which the distances have already been computed. 
Then 

3<ipseudo(<i) A post-fixed(d) A di j < m 

is equivalent to 

3<ipseudo(d) A post-fixed(d) A <ij wo < m A A dij = di(sj, Sj) 

since d\ is the greatest post-fixed point. As a consequence, we can replace all d^'s where 
€ C with their already computed distances di(sj, Sj). Again, the number of variables 
may be reduced. 

• If iii j = 0, we can infer that /i« = for all 1 < i < N. As a consequence, we can replace 
the occurrences of all those /Xjj's with 0. Symmetrically, if 7r,- j = we can simplify the 
formula similarly. Also this simplification may reduce the number of variables. 

We have implemented these simplifications in the form of a Java program that takes 
as input the probability matrix tt and that produces as output the simplified formula in a 
format that can be fed to Mathematical! 

Example B.10. Consider the probabilistic transition system of Example 12 .21 The simpli- 
fied formula for this system is given below. 

Reduce [ 

Exists [dl2, 

(0 <= dl2 <= 1) kk (0.11112 <= dl2 + 0.27778) kk (dl2 <= 0.38889) kk 
Exists [{ul2 , ul3 , u32 , u42 , u43 , u33> , 

(0 <= ul2 <= 1) kk (0 <= ul3 <= 1) kk (0 <= u32 <= 1) kk 

(0 <= u42 <= 1) kk (0 <= u43 <= 1) kk 

(ul2 + u32 + u42 == 0.4) kk (ul3 + u43 + u33 == 0.6) kk 
(ul2 + ul3 == 0.7) kk (u32 + u33 == 0.1) kk (u42 + u43 == 0.2) kk 
(dl2 * ul2 + 0.11112 * ul3 + 0.27778 * u32 + u42 + u43 <= dl2)] kk 
Exists [{u21 , u23 , u24 , u31 , u33 , u34> , 

(0 <= u21 <= 1) kk (0 <= u23 <= 1) kk (0 <= u24 <= 1) kk 
(0 <= u31 <= 1) kk (0 <= u34 <= 1) kk 

(u21 + u31 == 0.7) kk (u23 + u33 == 0.1) kk (u24 + u34 == 0.2) kk 
(u21 + u23 + u24 == 0.4) kk (u31 + u33 + u34 == 0.6) kk 
(dl2 * u21 + 0.27778 * u23 + u24 + 0.11112 * u31 + u34 <= dl2)] kk 
(0 <= dl2 <= 0.5)]] 

Line 3 correspond to pseudo(d), line 4-9 correspond to post-fixed! (d, 1, 2) and line 10—15 
correspond to post-fixed 1 (d, 2, 1). The formula was reduced to true by Mathematica in 8.2 
seconds on a 3GHz machine with 1GB RAM. When feeding Mathematica the formula that 
has not been simplified, it runs out of memory after some time. 

We also attempted to solve this example with a solver called QEPCAD B [9] but the 
performance of Mathematica on this example was better. 



'The code and documentation is available at the URL www.cse.yorku.ca/~franck/research/pm2m. 
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